CLAIMS 



What is claimed is: 

1 . A method, comprising: 

defining a plurality of first rules made up of relatively less complex second 

rules; 

defining a policy having at least some of the plurality of first rules and 
defining corresponding actions to undertake that are related to communication of a 
packet within a network; 

converting the first rules into minterm representations; 

generating a bit mask for each of the second rules based on their 
presence in the minterm representations; 

using the generated bit masks and content in a header of the packet to 
evaluate the plurality of first rules in the policy and to determine a corresponding action 
to undertake. 

2. The method of claim 1 wherein using the content in the header of 
the packet to evaluate the plurality of first rules includes using content in fields of a 
hypertext transfer protocol (HTTP) header of the packet. 

3. The method of claim 2 wherein using content in the fields of the 
HTTP header of the packet includes using content from at least one of header value, 
header name, universal resource locator string, method, hostname, cookie, defined, and 
undefined fields of the HTTP header. 

4. The method of claim 1 wherein defining the plurality of first rules 
made up of relatively less complex second rules includes defining the first rules by 
nesting the second rules using logical operators. 
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5. The method of claim 1 wherein defining the corresponding actions 
to undertake that are related to communication of the packet within the network includes 
at least one of defining forward, redirect, persist, reply error, and reset client actions for 
each set of matching first rules in the policy. 

6. The method of claim 1 wherein converting the first rules into 
minterm representations includes converting the first rules into minterms having sums of 
products of the second rules, and storing the minterms in a minterm data structure. 

7. The method of claim 6, further comprising placing all second rules 
of a similar type in same rule type data structures, wherein generating the bit mask for 
each of the second rules based on their presence in the minterm representations 
includes: 

determining a total number of minterms in the policy and using the total 
number of minterms to define a number of bit positions for the bit mask; and 
for each of the second rules: 

determining whether a particular second rule is present in each 
successive minterm in the minterm data structure for each of the rule type databases, 
and enabling a bit position of the bit mask that corresponds to each minterm where that 
particular second rule is present; 

disabling a bit position of the bit mask that corresponds to each 
minterm where that particular second rule is not present; and 

enabling a bit position of the bit mask that corresponds to each 
minterm where that particular second rule is not present and where the minterm 
includes second rules from a different rule type database. 

8. The method of claim 7 wherein using the generated bit masks and 
content in the header of the packet to evaluate the plurality of first rules in the policy and 
to determine the corresponding action to undertake includes: 
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searching for a second rule in each rule type database that corresponds to 
content in the packet; 

for second rules located by the searching, obtaining the corresponding 
generated bit masks; 

applying a logical operation to the obtained bit masks to generate a new 

bit mask; 

locating a first non-zero value in a bit position of the new bit mask, and 
designating a first rule in a minterm corresponding to that bit position as a match. 

9. The method of claim 8 wherein the logical operation includes an 
AND operation. 

10. A method, comprising: 

defining a plurality of complex rules made up of simpler rules and being 
indicative of actions to take relative to processing of a packet communicated within a 
network; 

converting the complex rules into minterm representations; 
generating a bit mask for each simpler rule based on the minterm 
representations of the complex rules; 

examining header content of the packet; and 

using the header content of the packet and the bit masks to evaluate the 
complex rules represented as minterms, and determining which action to undertake 
relative to that packet in accordance with results of the evaluation. 

1 1 . The method of claim 1 0 wherein using the header content of the 
packet and the bit masks to evaluate the complex rules represented as minterms 
includes: 

determining which simpler rules correspond to the header content; 
determining the bit masks for these simpler rules; 
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performing a logical operation on these bit masks to generate a new bit 

mask; and 

determining a complex rule that matches the header content from a 
minterm identifiable from the new bit mask. 

12. The method of claim 10 wherein generating the bit mask for each 
simpler rule includes generating bit position values in the bit mask based on whether a 
particular simpler rule is present in a minterm. 

1 3. The method of claim 1 0, further comprising: 

placing simpler rules of similar rule type in a common data structure; and 
searching each data structure for a specific rule that corresponds to the 
header content. 

14. The method of claim 10 wherein defining the plurality of complex 
rules made up of simpler rules includes using a plurality of logical operators to relate a 
plurality of simpler rules to form at least one complex rule. 

15. A method, comprising: 

reducing a first rule into at least one minterm made of a plurality of second 
rules that are less complex relative to the first rule; 

generating a bit mask for each of the second rules; 

for data from any field in a header of a packet, determining which second 
rules correspond to that data; 

applying a logical operation to the bit masks of the second rules 
corresponding to the data to obtain a new bit mask; and 

determining an action to undertake related to the packet from a minterm 
validated via the new bit mask. 
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16. The method of claim 15 wherein applying the logical operation to 
the bit masks of the second rules to obtain the new bit mask includes applying an AND 
operation to these bit masks, and wherein determining the action to undertake from the 
minterm validated via the new bit mask includes identifying the minterm from a first 
non-zero bit position in the new bit mask. 

1 7. The method of claim 1 5 wherein generating the bit mask for each of 
the second rules includes determining bit position values of the bit mask based on 
whether a particular second rule is present in a given minterm. 

1 8. The method of claim 1 5, further comprising: 

examining data in fields of the header in addition to hostname, URL, and 
cookie fields; and 

searching for second rules corresponding to this data in separate data 
structures organized according to rule types. 

19. An article of manufacture, comprising: 

a machine-readable medium having instructions stored thereon to: 
define a plurality of first rules made up of relatively less complex second 

rules; 

define a policy having at least some of the plurality of first rules and define 
corresponding actions to undertake that are related to communication of a packet within 
a network; 

convert the first rules into minterm representations; 

generate a bit mask for each of the second rules based on their presence 
in the minterm representations; 

use the generated bit masks and content in a header of the packet to 
evaluate the plurality of first rules in the policy and to determine a corresponding action 
to undertake. 
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20. The article of manufacture of claim 19 wherein the instructions to 
convert the first rules into minterm representations includes instructions to convert the 
first rules into minterms having sums of products of the second rules, and to store the 
minterms in a minterm data structure, 

wherein the machine-readable medium includes instructions stored 
thereon to locate all second rules of a similar type in same rule type data structures, 

wherein the instructions to generate the bit mask for each of the second 
rules based on their presence in the minterm representations includes instructions to: 

determine a total number of minterms in the policy and use the total 
number of minterms to define a number of bit positions for the bit mask; and 

for each of the second rules: 

determine whether a particular second rule is present in each 
successive minterm in the minterm data structure for each of the rule type databases, 
and enable a bit position of the bit mask that corresponds to each minterm where that 
particular second rule is present; 

disable a bit position of the bit mask that corresponds to each 
minterm where that particular second rule is not present; and 

enable in a bit position of the bit mask that corresponds to each 
minterm where that particular second rule is not present and where the minterm 
includes second rules from a different rule type database. 

21 . The article of manufacture of claim 19 wherein the instructions to 
use the generated bit masks and content in the header of the packet to evaluate the 
plurality of first rules in the policy and to determine the corresponding action to 
undertake includes instructions to: 

search for a second rule in each rule type database that corresponds to 
content in the packet; 

for second rules located by the searching, obtain the corresponding 
generated bit masks; 
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apply a logical operation to the obtained bit masks to generate a new bit 

mask; 

locate a first enabled bit position of the new bit mask, and designate a first 
rule in a minterm corresponding to that bit position as a match. 



22. A system, comprising: 

a means for defining a plurality of complex rules made up of simpler rules 
and being indicative of actions to take relative to processing of a packet communicated 
within a network; 

a means for converting the complex rules into minterm representations; 

a means for generating a bit mask for each simpler rule based on the 
minterm representations of the complex rules; 

a means for examining header content of the packet; and 

a means for using the header content of the packet and the bit masks to 
evaluate the complex rules represented as minterms, and for determining which action 
to undertake relative to that packet in accordance with results of the evaluation. 

23. The system of claim 22 wherein the means for using the header 
content of the packet and the bit masks to evaluate the complex rules represented as 
minterms includes: 

a means for determining which simpler rules correspond to the header 

content; 

a means for determining the bit masks for these simpler rules; 

a means for performing a logical operation on these bit masks to generate 
a new bit mask; and 

a means for determining a complex rule that matches the header content 
from a minterm identifiable from the new bit mask. 
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24. The system of claim 22 wherein the means for generating the bit 
mask for each simpler rule includes a means for generating bit position values in the bit 
mask based on whether a particular simpler rule is present in a minterm, the apparatus 
further comprising: 

a means for placing simpler rules of similar rule type in a common data 
structure; and 

a means for searching each data structure for a specific rule that 
corresponds to the header content. 

25. The system of claim 22, further comprising a means for 
communicating between a client device and a network component. 

26. An apparatus, comprising: 

a data structure having a first rule reduced into at least one minterm made 
of a plurality of second rules, and having a bit mask generated for each of the second 
rules; 

a first component having access to the data structure to determine which 
second rules correspond to data from any field in a header of a packet; 

a second component to apply a logical operation to the bit masks of the 
second rules determined by the first component to correspond to the data, and to obtain 
a new bit mask as a result of application of the logical operation; and 

a third component having access to the data structure to determine an 
action to undertake related to the packet from a minterm validated via the new bit mask. 

27. The apparatus of claim 26 wherein at least one of the data 
structure, first component, second component, and third component are located in a 
switch that can receive the packet. 
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28. The apparatus of claim 26 wherein the data structure includes a 
plurality of rule type data structures that correspondingly store second rules of similar 
rule types. 

29. The apparatus of claim 26 wherein the header comprises an HTTP 
header of the packet. 

30. The apparatus of claim 26 wherein to define the first rule, the 
second rules are related using a plurality of logical operators. 
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